Posted
by
BeauHDon Monday March 12, 2018 @08:10PM
from the under-the-radar dept.

An anonymous reader quotes a report from Engadget: Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 -- no one knew it was there. Recent MikroTik router firmware updates should fix the issue. However, there's concern that other router makers might be affected.

This is the biggest scandal no one cares about. I am involved in politics and the upcoming election, and was just demoed a service that was beyond creepy. Basically they provide a library that is widely used by developers, and by the saleswoman's account their stack was in an app on 80% of phones in the world. Android or iOS.

During the pitch she spoke of micro targeting people, and suggested we could see who was at a certain large political rally in DC for both of the last two years. While immediately creepy in its on right, I asked how her company could take supposedly anonymized info from location sharing and match it with an actual person. She replied that they simply geofenced the phones while people were probably asleep which after awhile gave away their home address. They could then match that location with voter files and people's names.

The implications of this one example were staggering to me. Would you suspect a popular game or restaurant app could be used to completely profile you by a third party? We do around here, but most people don't. They don't get the connections. But I asked is she thought people would be unhappy knowing that apps were being secretly being used to share such personal information. To her credit she said yes they would. And she admitted the service would be illegal in Europe.

In the end I told her that as a privacy advocate I wanted to throw up in the back of my throat (actual quote), but as an advisor to campaigns I would have to tell them to use the tech. You don't bring a knife to a data fight, and it's clear it's a data fight now.

I can see where you might see a contradiction. However I do know that my many conversations with elected officials have had an effect on net neutrality support and encryption rights. I do have to wear two hats, and I don't like it. But right now those who oppose net freedoms are using these tools to defeat those efforts. Trump is in office because of data tools like these. I cannot tell those opposing him not to use the legal tools at their disposal.

I cannot tell those opposing him not to use the legal tools at their disposal.

Assert.Bullshit();

You can absolutely tell them not to use those tools. Just like you can (for instance) tell them not to sponsor misleading but legal attack ads. Furthermore, they can then proclaim that they don't use them, and then have serious conversations about whether such a practice ought to be legal without looking the hypocrite.

I appreciate your work under the one hat. I would like to appreciate your work under the other, and I understand how the situation is difficult for you. But it is doublespeak

So I should tell people not to use the legal tools their competition is using? It's better to be a noble loser that can not affect change than an elected official who can? What is being offered is perfectly legal at this point. And for the record I brought up this very topic of micro targeting and shared data with a Senator last weekend urging them to make this sort of thing illegal. So while trying to get elections won I am seeding the idea of addressing the abuse legally. Until you have to navigate these

I agree, but if your a true privacy advocate you should be willing to publicize this more. At the very least email me the name of the company so I can do some personal research and work on highlighting this and making illegal in the US as well as Europe.

Why can we not find these assholes, and publically hang them? And leave them dangling for a while for all to see. They are poisoning the well - this is not cute hacker fun. This is, and has been, very serious. And nothing seems to be done about it.

Who said anything about announcing. How about not letting it happen? Had they done their jobs, the terrorists would have had perfectly ordinary seeming accidents or been found with large amounts of heroin and locked away. Instead, they caused 911.

The NSA has a dual mission. They are charged with finding attacks that will work on foreign powers and securing US infrastructure. Any time they find a vulnerability, they have to make a judgement call over whether it's more important to fix it domestically or to have it available to attack other people with. If they didn't publicly disclose something, it means that either:

They made this judgement call that it was worth the risk of other people attacking, or

Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general. They probably are allowed to inform and advise larger corporations of threats but that's about it. Their main role is SIGINT.

So yes, of course they will hoard and weaponize exploits. In case of these routers, the above AC is right, that could easily be an NSA exploit. It de

Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general.

This is mostly true, though it's all US government infrastructure and not just the DoD; however, there's a lot of private infrastructure that is critical for national security and so they don't make such a hard distinction. It doesn't matter if your air force is still working fine if none of your personnel can make it to the airbase because civilian infrastructure has collapsed. If a vulnerability is discovered in a home router, you'd better be very sure that no one in the chain of command (and no elected

All of the AV that can be found and tested.
Recall the CIA and who could find what code over years? Lots of different AV software missed detection. Some brands of AV had some better ideas about what system was infected.
"Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA" (4/10/2017)https://arstechnica.com/inform... [arstechnica.com]

Recall how a modem, router can be upgraded with a file from the home computer network side.
Some nation is pushing malware upgrades into devices and they are been accepted as a normal upgrade by the device.
Some methods used is a random walk in person from "tech" support and their usb device. A chat with the boss and the device is upgraded.
A person is a way from home at work and their network is on. The device gets a nation state malware upgrade pushed down the network.
Lots of ways in with a person, via

We recently had to admonish our telecom contractor over his re-use of a USB stick. He was using it to update firmware on our IPECS phone system; when asked "Is that write-protected and in read-only mode?" he didn't really know what we where talking about. When asked "How many other companies have you used that USB stick in since the last low level format?" the light bulb came on. After that we started making him download the firmware on our network, and use a USB stick we provided. We have to be 800-171 compliant for DoD contracts, so this stuff matters.

Yes its fun to think about how much of this state create malware got pushed up from the trusted side of a network.
Tech support talking fast and seen by staff talking to the boss then moving to any computer with their USB files?
A charming NGO worker (spy) with a video to play on a computer on the trusted side of a network to show the boss how a "charity" event went...
How many get the malware update via the internet pushed down in the wild?

My listing for this is years out of date, but is it still the case that the only modern flash drives with hardware write protection are from Kanguru, a few models of PQI, and maybe 1-2 Imation devices?

Do you allow devices like the secured IODD/Zalman drive enclosures that can be set up for read-only access as well?

Holy smokes, I really was out-of-date. Imation is dead and in a holding company with (possibly) PNY able to make things using the name, PQI appears to no longer have any write-protected drives, Ritek appears to no longer have any write-protected drives and I missed Netac.

Mikrotik is quite special. The routers are administered via a special tool 'WinBox'. When you connect to a certain type of router a DLL is downloaded to your pc and loaded that tells WinBox how to talk to this model. Of course, if you replace this DLL with a backdoored one then the administrator PC will get hacked.

I have always found this setup quite risky. There is public code available that runs a fake Mikrotik router, serving a DLL of your choice: https://0day.today/exploit/18143 You only need to replace

WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to.

Maybe your own doesn't.

But lots of equipment provided to client by telco (the router that you received for free when you signed up for DSL/cable/fibre internet) do.

In the name of user-friendliness, defined as "my grand-ma is unable to upgrade the firmware nor even configure the settings, so everybody is imposed auto-updates", nearly all of these device download and run a ton of shit.It might be just scripts (to set or update configuration) or it might be complete firmware upgrade (including telco's own "opt

How can we trust a firmware update to reliably clean up an infected device? After all, the firmware update would need to be installed by the currently running infected firmware. Couldn't the current firmware infect the new firmware as its being installed? Sounds like we might need to JTAG a new image straight to the hardware.